2019_4507 Content of eIDAS certificates if agents or outsource providers are involved

Question ID:

2019_4507

Legal Act:

Directive 2015/2366/EU (PSD2)

Topic:

Strong customer authentication and common and secure communication (incl. access)

Article:

Paragraph:

Subparagraph:

(a)

COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:

Not applicable

Article/Paragraph:

n/a

Disclose name of institution / entity:

Yes

Name of institution / submitter:

Bundesdruckerei GmbH

Country of incorporation / residence:

Germany

Type of submitter:

Other

Subject Matter:

Content of eIDAS certificates if agents or outsource providers are involved

Question:

Who shall be the Subject Distinguished Name (DN) in the situation described in EBA Opinion on eIDAS (EBA-Op-2018-7) item 21? Does information on agents or outsource providers has to show up in the certificates?

Background on the question:

The statement in EBA -Op-2018-7 Item 21 (Opinion of the EBA on the use of eIDAS certificates)

“CAs should also ensure that ASPSPs accept eIDAS certificates presented by agents or outsource providers acting on behalf of AISPs, PISPs and CBPIIs, provided that the ASPSP is in a position to unequivocally identify the principal PSP in the presented certificate.“ seems to indicate that certificates in this situation have a different content.

Qualified Trust Service Providers (QTSPs) have to know which information is expected in the certificates.

Date of submission:

01/02/2019

Published as Final Q&A:

26/04/2019

Final Answer:

Article 34 of the Commission Delegated Regulation (EU) 2018/389 specifies that for the purpose of identification, as referred to in Article 30(1)(a), payment service providers (PSP) shall rely on qualified certificates for electronic seals as referred to in Article 3(30) of Regulation (EU) No 910/2014 or for website authentication as referred to in Article 3(39) of that Regulation.

Where a PSP providing account information, payment initiation or card-based payment instrument issuing services uses agents or has outsourced to technical service providers (TSPs) part of its activities, including in relation to the access to the online accounts held within an account servicing payment service provider (ASPSP), in line with paragraph 20 of the EBA Opinion on the use of eIDAS certificates (EBA-Op-2018-7), it remains responsible and liable for the acts of these agents and TSPs.

In addition and as stated in paragraph 21 of the EBA Opinion, ASPSPs should be in a position to unequivocally identify the principal PSP in the presented certificate.

In relation to the above two paragraphs, eIDAS certificates should be issued to authorised/registered PSPs and contain the name of said PSP in the so called ‘Subject Distinguished Name’.

Further, in line with paragraph 20 of the EBA Opinion, in the cases where an eIDAS certificate is presented to ASPSPs by an agent or a TSP acting on behalf of the PSP accessing the online account, if technically feasible, the name of the agent/TSP may be included in the eIDAS certificate in addition to the name of the principal PSP. ASPSPs are required to identify the principal PSP only.

Finally, it should be noted that there is no legal requirement to include the name of the agent in the eIDAS certificate.

Status:

Final Q&A

Answer prepared by:

Answer prepared by the EBA.